-
Notifications
You must be signed in to change notification settings - Fork 554
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I've trouble understanding security in DID migration #279
Comments
The DID method that we're proposing ( The signingKey is held by the user's personal data server, and the user can decide for their recovery key to be held by either their personal data server or by themselves. It's obviously greater responsibility to hold the recovery key yourself, but it protects you against an adversarial pds. The recovery key has a 72 hr recovery window during which it can "supercede" any operations done by the signing key. A PLC DID is comprised of a list of signed operations, where each operation must be signed by a current valid key. And the did identifier is derived from the hash of the genesis operation. This constrains the PLC node to two attacks:
But the PLC server is not able to forge operations or rotate the users key out from under them. A PDS is able to "steal" a user's username (just as, for instance, twitter is now). All links to a user at the data level reference the user's did for this reason. But this would dramatically reduce trust in the PDS and the user can always migrate to a new server in that event and keep their social graph & data. Does that help clear things up? |
I think you are combining two distinct ideas.
When you do a search for a user you would use the handle. Imagine that you used the Twitter "find my friends" feature and found some handle by their phone number. Now they change there phone number. You are still following them even though someone else may now have their old number. It is irrelevant the identifier in the following list is the DID. A practical example of this is when @Potus was renamed to @potus45 and a new @Potus was assigned In the DID |
closing for now. feel free to keep the discussion going :) |
I don't think the user can migrate to a new server if the PDS is the server that's being in charge of the domain name. Because what people will refer to is the username (Aaron used "Handle") not the DID's hash. Ok, they'll see the social graph on the computer where they have interacted with the previous Handle. But as soon as they start a new device, or simply have to give the contact to someone else, they'll send the Handle to a third party. The third party will use that handle and land on the wrong/stolen PDS's identity, right ? Said differently, a large PDS server might not be tempted to steal a username/handle for its reputation. But:
Ok, but for an external point of view, you've been stolen the handle. Any new person won't be able to find you since the handle is the "human usable name". That begs another question: how do you prevent a cyber squatting of handles ? |
Yes it's true that if your handle is stolen, you will need to use a different handle. Which is to say, there's still some disruption that occurs if your identity provider attacks you. However your social (follows) graph is constructed from DIDs so you will keep all your follows & followers. Your display name & profile picture will remain the same. It should be fairly reasonable for your followers to intuit your new handle. If someone steals a username "for their reputation", they get a new account with 0 followers with that username.
|
Maybe it's not clear, but it seems to me that if a user is using a third party service to host his DID document, then the third party service can, anytime, modify the document by generating new key pairs (and thus, creating a valid new DID document that's erasing the previous history of the user).
Imagine GoDaddy used as a domain name manager + web hosting. What prevent them from creating a new @alice.com user that's wiping the previous one, by changing the DNS entry (not even required if it points to their own webserver) and webserver ?
The text was updated successfully, but these errors were encountered: